SEC04-BP02: Capture logs, findings, and metrics in standardized locations

Security operations teams require access to logs, findings, and metrics to investigate security events. Ensure that logs, findings, and metrics are captured in standardized locations and formats. For example, ensure that logs are sent to a centralized logging solution, and that findings from security services are sent to a centralized location such as AWS Security Hub.

Implementation guidance

Standardizing the collection and storage of logs, findings, and metrics is crucial for effective security operations. By centralizing these data sources in consistent formats and locations, you enable efficient analysis, correlation, and response to security events across your entire AWS environment.

Key steps for implementing this best practice:

1. Establish centralized logging architecture:
   • Design a centralized logging strategy for your organization
   • Choose appropriate storage solutions for different log types
   • Implement log aggregation from multiple sources
   • Define standard log formats and schemas
   • Establish log routing and distribution mechanisms
2. Centralize security findings:
   • Configure AWS Security Hub as your central findings repository
   • Enable integration with all AWS security services
   • Configure third-party security tools to send findings to Security Hub
   • Implement custom findings for application-specific security events
   • Standardize finding formats using AWS Security Finding Format (ASFF)
3. Implement standardized metrics collection:
   • Define security metrics and KPIs for your organization
   • Use Amazon CloudWatch for centralized metrics storage
   • Implement custom metrics for application security events
   • Create standardized dashboards for security monitoring
   • Set up automated alerting based on metric thresholds
4. Configure cross-account log aggregation:
   • Set up cross-account log delivery for multi-account environments
   • Implement centralized log storage in a dedicated security account
   • Configure appropriate IAM permissions for cross-account access
   • Use AWS Organizations for simplified cross-account setup
   • Implement log replication for high availability
5. Implement data normalization and enrichment:
   • Standardize log formats across different sources
   • Implement log parsing and normalization
   • Enrich logs with contextual information
   • Implement correlation identifiers across log sources
   • Use consistent timestamp formats and time zones
6. Ensure data integrity and retention:
   • Implement log integrity verification
   • Configure appropriate retention policies
   • Set up automated archival to cost-effective storage
   • Implement backup and disaster recovery for log data
   • Ensure compliance with regulatory retention requirements

Implementation examples

Example 1: Centralized logging with Amazon CloudWatch Logs

Code snippet hidden for website display

Example 2: AWS Security Hub configuration for centralized findings

Code snippet hidden for website display

Example 3: Standardized metrics collection with CloudWatch

Code snippet hidden for website display

Example 4: Cross-account log aggregation with AWS Organizations

Code snippet hidden for website display

AWS services to consider

AWS Security Hub

Provides a comprehensive view of your security state in AWS and helps you check your compliance with security standards and best practices. Central repository for security findings from multiple sources.

Amazon CloudWatch Logs

Monitors, stores, and provides access to your log files from Amazon EC2 instances, AWS CloudTrail, and other sources. Centralized logging solution with cross-account capabilities.

Amazon CloudWatch

Monitors your AWS resources and the applications you run on AWS in real time. Centralized metrics collection and dashboard creation for security monitoring.

Amazon S3

Object storage service that offers industry-leading scalability, data availability, security, and performance. Cost-effective long-term storage for logs and findings.

AWS Organizations

Helps you centrally manage and govern your environment as you scale your AWS resources. Simplifies cross-account log aggregation and centralized security management.

Amazon Kinesis Data Firehose

A fully managed service for delivering real-time streaming data to destinations such as Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, and Splunk. Useful for real-time log streaming and processing.

Benefits of capturing logs, findings, and metrics in standardized locations

• Improved security visibility: Centralized view of security events across your entire environment
• Enhanced incident response: Faster correlation and analysis of security events
• Simplified compliance: Centralized audit trails and standardized reporting
• Operational efficiency: Reduced complexity in security monitoring and analysis
• Better threat detection: Improved ability to identify patterns and anomalies
• Cost optimization: Efficient storage and processing of security data
• Scalable architecture: Supports growth in data volume and organizational complexity

Related resources

Related Resources

• AWS Well-Architected Framework - Capture logs, findings, and metrics in standardized locations
• AWS Security Hub User Guide
• Amazon CloudWatch Logs User Guide
• AWS Security Finding Format (ASFF)
• How to centralize findings from AWS security services using AWS Security Hub custom insights
• How to set up a two-tier permissions model for cross-account access to AWS Security Hub